VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 44 of 87
  • CVE-2017-7293HigApr 26, 2017
    risk 0.54cvss 7.8epss 0.03

    The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to get arbitrary system privileges, because these services have .NET code for DCOM. This affects Dolby Audio X2 (DAX2) 1.0, 1.0.1, 1.1, 1.1.1, 1.2, 1.3, 1.3.1,…

  • CVE-2026-48853CriJun 15, 2026
    risk 0.53cvss epss 0.01

    Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it,…

  • CVE-2026-42687HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.

  • CVE-2026-27333HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.

  • CVE-2026-41699HigJun 11, 2026
    risk 0.53cvss 8.1epss 0.00

    Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the…

  • CVE-2026-41732HigJun 10, 2026
    risk 0.53cvss 8.1epss 0.00

    JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a…

  • CVE-2026-41855HigJun 9, 2026
    risk 0.53cvss 8.1epss 0.00

    In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class…

  • CVE-2026-39555HigJun 2, 2026
    risk 0.53cvss 8.1epss 0.00

    Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1.

  • CVE-2026-39551HigJun 2, 2026
    risk 0.53cvss 8.1epss 0.00

    Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection. This issue affects Töbel: from n/a through 1.8.1.

  • CVE-2026-39550HigJun 2, 2026
    risk 0.53cvss 8.1epss 0.00

    Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection. This issue affects Aperitif: from n/a through 1.6.

  • CVE-2026-44843HigMay 26, 2026
    risk 0.53cvss 8.2epss 0.00

    LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths…

  • CVE-2026-7647HigMay 2, 2026
    risk 0.53cvss 8.1epss 0.00

    The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the…

  • CVE-2026-6023HigApr 22, 2026
    risk 0.53cvss 8.1epss 0.01

    In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code…

  • CVE-2026-23971HigMar 25, 2026
    risk 0.53cvss 8.1epss 0.00

    Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8.

  • CVE-2026-22510HigMar 25, 2026
    risk 0.53cvss 8.1epss 0.00

    Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3.

  • CVE-2026-22505HigMar 25, 2026
    risk 0.53cvss 8.1epss 0.00

    Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2.

  • CVE-2026-27096HigMar 19, 2026
    risk 0.53cvss 8.1epss 0.00

    Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.

  • CVE-2026-2626HigMar 11, 2026
    risk 0.53cvss 8.1epss 0.00

    The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data,…

  • CVE-2026-27369HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6.

  • CVE-2026-27098HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Deserialization of Untrusted Data vulnerability in axiomthemes Au Pair Agency - Babysitting & Nanny Theme au-pair-agency allows Object Injection.This issue affects Au Pair Agency - Babysitting & Nanny Theme: from n/a through <= 1.2.2.